Arnvidr

mangosmoothie7:

fileformat:

STOP

who fucking did this

Dilbert readers - Please visit Dilbert.com to read this feature. Due to changes with our feeds, we are now making this RSS feed a link to Dilbert.com.

Here are more apocalypses.

And a reminder to Vancouver folks: I’ll be at the Carded! art show tomorrow night. You should go too – it looks like fun!

Bennett Haselton writes: "If you watch a movie or TV show (legally) on your mobile device while away from your home network, it's usually by streaming it on a data plan. This consumes an enormous amount of a scarce resource (data bundled with your cell phone provider's data plan), most of it unnecessarily, since many of those users could have downloaded the movie in advance on their home broadband connection — if it weren't for pointless DRM restrictions." Read on for the rest of Bennett's thoughts.

Read more of this story at Slashdot.

In another life, I didn’t spend the entire Easter weekend managing virtual football teams, but instead spent it practicing fighting game combos. I like to think that this dimensional doppelgänger has enough good taste to make Street Fighter his puncher of choice. I’ve never been good at it, but I’ve read enough to know that it’s good. And the trailer below for Ultra Street Fighter IV, due out early June August, makes me wish I could trade places with my other self for a while. Check out the stage with the dinosaurs in the background.

… [visit site to read more]

Here is a Cthulhu comic without Cthulhu! Nyarlathotep is not getting his/her own tag just yet.

I've been around long enough to remember that the first product from Micro-Soft (as they were then known) was a BASIC interpreter for the MITS Altair computer. The rest, as they say, is history.

And like so many other products, Microsoft did not invent BASIC (Beginner's All-purpose Symbolic Instruction Code). Rather, it was invented at Dartmouth College, and was unveiled on May 1, 1964...fifty years ago next week.

BASIC was my second computer language (the first was FORTRAN). I learned it on a four-user timeshared PDP-8, storing programs on punched paper tape. It's probably not an overstatement to say that it was the language of the personal computer revolution (it was also the language of the Apple II computer). And fifty years later, it lives on in such forms as Microsoft's Visual Basic.

I've moved on to other languages. But a happy 50th birthday to BASIC!

This logic applies to almost everything.

• Think you aren’t working out enough?  MORE VIDEO GAMES
• Not enough fiber in your di—-MORE VIDEO GAMES
• Forgot to —–MORE VIDEO GAMES

bonus panel

An anonymous reader writes "Researchers from Princeton University and Northwestern University have concluded, after extensive analysis of 1,779 policy issues, that the U.S. is in fact an oligarchy and not a democracy. What this means is that, although 'Americans do enjoy many features central to democratic governance,' 'majorities of the American public actually have little influence over the policies our government adopts.' Their study (PDF), to be published in Perspectives on Politics, found that 'When the preferences of economic elites and the stands of organized interest groups are controlled for, the preferences of the average American appear to have only a minuscule, near-zero, statistically non-significant impact upon public policy.'"

Read more of this story at Slashdot.

Each Monday, Chris Livingston visits an early access game and reports back with stories about whatever he finds inside. This week, space-based gathering, crafting, and dying in Space Engineers’ new survival mode.

There’s a large red and white spaceship, its front end crumpled after what must have been a spectacular nosedive. There’s a tiny yellow space engineer inspecting the wreck, armed with only a handful of tools. There’s the inky blackness of outer space, the comforting glow of a distant sun, and an asteroid field of stationary rocks, chock-full of ore and minerals to mine. As the astronaut floats there, enchanted by the view, he notices a few of the asteroids — quite a few, in fact — have given up waiting for him to visit them and taken a more proactive stance. They’re delivering themselves to him. Well, at him, anyway. In an awful hurry.

… [visit site to read more]

Hugh Pickens DOT Com (2995471) writes "Jenny McCarthy is claiming she has been misunderstood and is not anti-vaccine. In an op-ed in the Chicago Sun-Times, McCarthy tries to ignore everything she's been saying about vaccines for years and wipe the record clean. 'People have the misconception that we want to eliminate vaccines,' McCarthy told Time magazine science editor Jeffrey Kluger in 2009. 'Please understand that we are not an anti-vaccine group. We are demanding safe vaccines. We want to reduce the schedule and reduce the toxins.' But Kluger points out that McCarthy left the last line out of that quotation: 'If you ask a parent of an autistic child if they want the measles or the autism, we will stand in line for the f--king measles.' That missing line rather changes the tone of her position considerably, writes Phil Plait and is a difficult stance to square with someone who is not anti-vaccine. As Kluger points out, her entire premise is false; since vaccines don't cause autism, no one has to make the choice between measles (and other preventable, dangerous diseases) and autism. Something else McCarthy omitted from her interview with Kluger: 'I do believe sadly it's going to take some diseases coming back to realize that we need to change and develop vaccines that are safe,' said McCarthy. 'If the vaccine companies are not listening to us, it's their f*cking fault that the diseases are coming back. They're making a product that's sh*t. If you give us a safe vaccine, we'll use it. It shouldn't be polio versus autism.' Kluger finishes with this: 'Jenny, as outbreaks of measles, mumps and whooping cough continue to appear in the U.S.—most the result of parents refusing to vaccinate their children because of the scare stories passed around by anti-vaxxers like you—it's just too late to play cute with the things you've said.' For many years McCarthy has gone on and on and on and on and on and on about vaccines and autism. 'She can claim all she wants that she's not anti-vax,' concludes Plait, 'but her own words show her to be wrong.'"

Read more of this story at Slashdot.

More bananas.

Get Fuzzy by Darby Conley for April 13, 2014

Many already thought that the "Heartbleed" security flaw in OpenSSL could be used to steal SSL keys from a server, but now there's proof. This is important because if someone stole the private decryption key to servers used by any of the many web services that used OpenSSL, then they could spy on or alter (supposedly secure) traffic in or out until the key is changed. The Cloudflare Challenge asked any and all comers to prove it could be done by stealing the keys to one of their NGINX servers using the vulnerable version of OpenSSL, and it was completed this afternoon by a pair of researchers according to CEO Matthew Prince. Fedor Indutny tweeted that he'd done it earlier this evening, which the Cloudflare team later verified, crediting Indutny and another participant Illkka Mattila. Indutny has promised not to publish his method for a week so affected servers can still implement fixes, but according to Cloudflare his Node.js script generated more than 2.5 million requests for data over the span of the challenge.

Confused by all the programming and security terms and just need to know how this affects you? It means that while you definitely need to change your passwords, but wait until affected services announce they've not only fixed their OpenSSL, but also swapped out (potentially compromised) security certificates for new ones.

Image credit: snoopsmaus/Flickr

Just cracked @CloudFlare 's challenge: https://t.co/8ZPSxyKF4D . I wonder when they'll update the page.

- Fedor Indutny (@indutny) April 11, 2014

Looks like @indutny got the challenge key! (Which is both exciting and terrifying.) Haven't confirmed used #heartbleed. Updates soon!

- Matthew Prince (@eastdakota) April 12, 2014

Private key has been successfully extracted from an nginx server using Heartbleed by @indutny: https://t.co/iIrwwSVpco Worst case scenario.

- John Resig (@jeresig) April 12, 2014

Congratulations to Fedor Indutny (@indutny) and Illkka Mattila for solving the CloudFlare Heatbleed Challenge. https://t.co/hze0MXM7OF

- Nick Sullivan (@grittygrease) April 12, 2014

Filed under: Internet

Comments

Source: Cloudflare Challenge, Fedor Indutny (Twitter), Matthew Prince (Twitter)

This is an update to my earlier post.

Cloudflare is reporting that it's very difficult, if not practically impossible, to steal SSL private keys with this attack.

Here's the good news: after extensive testing on our software stack, we have been unable to successfully use Heartbleed on a vulnerable server to retrieve any private key data. Note that is not the same as saying it is impossible to use Heartbleed to get private keys. We do not yet feel comfortable saying that. However, if it is possible, it is at a minimum very hard. And, we have reason to believe based on the data structures used by OpenSSL and the modified version of NGINX that we use, that it may in fact be impossible.

The reasoning is complicated, and I suggest people read the post. What I have heard from people who actually ran the attack against a various servers is that what you get is a huge variety of cruft, ranging from indecipherable binary to useless log messages to peoples' passwords. The variability is huge.

This xkcd comic is a very good explanation of how the vulnerability works. And this post by Dan Kaminsky is worth reading.

I have a lot to say about the human aspects of this: auditing of open-source code, how the responsible disclosure process worked in this case, the ease with which anyone could weaponize this with just a few lines of script, how we explain vulnerabilities to the public -- and the role that impressive logo played in the process -- and our certificate issuance and revocation process. This may be a massive computer vulnerability, but all of the interesting aspects of it are human.

EDITED TO ADD (4/12): We have one example of someone successfully retrieving an SSL private key using Heartbleed. So it's possible, but it seems to be much harder than we originally thought.

And we have a story where two anonymous sources have claimed that the NSA has been exploiting Heartbleed for two years.

EDITED TO ADD (4/12): Hijacking user sessions with Heartbleed. And a nice essay on the marketing and communications around the vulnerability

EDITED TO ADD (4/13): The US intelligence community has denied prior knowledge of Heatbleed. The statement is word-game free:

NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private sector cybersecurity report. Reports that say otherwise are wrong.

The statement also says:

Unless there is a clear national security or law enforcement need, this process is biased toward responsibly disclosing such vulnerabilities.

Since when is "law enforcement need" included in that decision process? This national security exception to law and process is extending much too far into normal police work.

Another point. According to the original Bloomberg article:

http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html

Certainly a plausible statement. But if those millions didn't discover something obvious like Heartbleed, shouldn't we investigate them for incompetence?

Finally -- not related to the NSA -- this is good information on which sites are still vulnerable, including historical data.